A Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N 0.073

Size: px

Start display at page:

Download "A Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N 0.073"

Tyler Paul
6 years ago
Views:

1 A Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N Ellen Jochemsz 1 and Alexander May 2 1 Department of Mathematics and Computer Science, TU Eindhoven, 5600 MB Eindhoven, the Netherlands e.jochemsz@tue.nl 2 Faculty of Computer Science TU Darmstadt, Darmstadt, Germany may@informatik.tu-darmstadt.de Abstract Wiener s famous attack on RSA with d < N 0.25 shows that using a small d for an efficient decryption process makes RSA completely insecure. As an alternative, Wiener proposed to use the Chinese Remainder Theorem in the decryption phase, where d p = d mod (p 1) and d q = d mod (q 1) are chosen significantly smaller than p and q. The parameters d p, d q are called private CRT-exponents. Since Wiener s proposal in 1990, it has been a challenging open question whether there exists a polynomial time attack on small private CRT-exponents. In this paper, we give an affirmative answer to this question, and show that a polynomial time attack exists if d p and d q are smaller than N Keywords: RSA, CRT, cryptanalysis, small exponents, Coppersmith s method. 1 Introduction In the RSA cryptosystem, the public modulus N = pq is a product of two primes of the same bitsize. The public and private exponent e and d satisfy ed = 1 mod (p 1)(q 1). In many applications of RSA, either e or d is chosen to be small, for efficient modular exponentiation in the encryption/verifying or in the decryption/signing phase. It is well-known that it is dangerous to choose a small private exponent, since Wiener [22] showed that the RSA scheme is insecure if d < N 0.25, which was extended to d < N by Boneh and Durfee [4]. The work described in this paper has been supported in part by the European Commission through the IST Programme under Contract IST ECRYPT. The information in this document reflects only the author s views, is provided as is and no guarantee or warranty is given that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability.

2 2 As an alternative approach, Wiener proposed to use the Chinese Remainder Theorem (CRT) for decryption/signing as described by Quisquater and Couvreur in [18], and to use small private CRT-exponents instead of a small private exponent. In that case, the public exponent e and private CRT-exponents d p and d q satisfy ed p = 1 mod (p 1) and ed q = 1 mod (q 1). To obtain a fast decryption/signing phase, d p and d q are chosen significantly smaller than p and q. In time-critical applications, for instance for signing procedures on smartcards, this technique is especially useful. Whether there exists a polynomial time attack on this RSA-CRT system with small d p and d q has been a challenging open question since Wiener s work (see also the comments in Boneh-Durfee [4], the STORK roadmap [19], and the ECRYPT document on the hardness of the main computational problems in cryptography [9]). So far, the best attack on this variant is a square-root attack [3] that enables an adversary to factor N in time and space Õ(min{ d p, d q }), which is exponential in the bitsize of d p and d q. All other attacks on RSA with small private CRT-exponents can be divided in two categories. First, there are attacks on the special case where p and q are unbalanced (not of the same bitsize). May [16] described two attacks that work up to a smallest prime factor of N Recently, Bleichenbacher and May [2] improved this to N Secondly, there are attacks on a special case where not only d p and d q, but also e is chosen to be small. Galbraith, Heneghan and McKee [10] and Sun and Wu [20] have made proposals to use RSA-CRT in a way that balances the cost of encryption and decryption by forcing both e and d p, d q to be small. In these articles, several attacks are described, after which the authors propose parameters that are not affected by these attacks. Bleichenbacher and May [2] in turn described a new attack on RSA-CRT with balanced exponents, forcing Galbraith, Heneghan, McKee and Sun, Wu to revise their parameter suggestions in [11] and [21], respectively. However, the attacks in both categories are not applicable in the standard RSA case with small CRT-exponents d p and d q, that is, when p and q are balanced and e is full size. In this paper, we describe a way to extend one of the attacks of Bleichenbacher, May [2] such that it also works in the standard RSA- CRT case. This leads to the first polynomial time attack on standard RSA with small private CRT-exponents. More precisely, we present the following result. Theorem 1 (RSA-CRT with Small d p, d q ). Under a well-known heuristic assumption (as described in Section 6), for every ɛ > 0 and sufficiently large n, the following holds: Let N = pq be an n-bit RSA modulus, and p, q primes of bitsize n 2. Let e < φ(n), d p < p 1, and d q < q 1 be the public exponent and private CRT-exponents, satisfying ed p 1 mod (p 1) and ed q 1 mod (q 1). Let bitsize(d p ) δn and bitsize(d q ) δn. Then N can be factored in time polynomial in log(n) provided that δ < ɛ.

3 3 The rest of the paper is organized as follows. In Section 2, we give a brief introduction to Coppersmith s lattice-based method for finding small roots of polynomials [5]. In Section 3, we recall the Bleichenbacher-May attack [2]. In Section 4, we show how an extension of the attack leads to our new attack on standard RSA-CRT with δ < ɛ. Furthermore, we generalize our bound to public exponents e of arbitrary size, and show that this leads to a polynomial time attack on one of the revised parameter choices in [21]. In Section 5, we explain in detail how we use Coppersmith s original method for the implementation of the attack. In Section 6, we discuss the only heuristic part of the attack, namely how to retrieve a common root from a number of polynomials. We conclude in Section 7 by giving experimental data for our attack. 2 Finding Small Roots of Polynomials Many attacks in RSA cryptanalysis use a similar technique, which originated from Coppersmith s work on finding small roots of polynomials [5]. In essence, the attack starts with a polynomial equation in some of the unknowns of the RSA variant, such as p, q, d, or d p and d q in the case of RSA-CRT. An example is the usual RSA equation ed = 1 + k(n + 1 (p + q)), with the unknowns d, k, p, and q. Such an equation yields a polynomial f which has a certain root that an attacker wishes to find. In the example, the polynomial f(x 1, x 2, x 3 ) = ex 1 1 x 2 (N + 1 x 3 ) has the root (x (0) 1, x(0) 2, x(0) 3 ) = (d, k, p + q). Finding the root is equivalent to factoring N, since p, q can be computed from p + q using N = pq. The goal is to derive a polynomial time attack provided that the size of the root is below a certain bound. In our new attack on standard RSA-CRT (Section 4), our goal is to find a root of a four-variate polynomial f(x 1, x 2, x 3, x 4 ). We follow the strategy of Jochemsz and May [13], that we will sketch here. Let (x (0) 1, x(0) 2, x(0) 3, x(0) 4 ) be a root of the polynomial f(x 1, x 2, x 3, x 4 ) that is small in the sense that x (0) 1 < X 1, x (0) 2 < X 2, x (0) 3 < X 3, x (0) 4 < X 4, for some known upper bounds X j, for j = 1,..., 4. Moreover, we define W as the maximal absolute coefficient of f(x 1 X 1, x 2 X 2, x 3 X 3, x 4 X 4 ). That is, W := f(x 1 X 1, x 2 X 2, x 3 X 3, x 4 X 4 ), where f(x 1, x 2, x 3, x 4 ) = max a i1i 2i 3i 4 for a polynomial f(x 1, x 2, x 3, x 4 ) = a i1i 2i 3i 4 1 xi2 2 xi3 3 xi4 4. A basis B of a lattice L is defined via so-called shift polynomials of the form 1 xi2 2 xi3 3 xi4 4 f(x 1, x 2, x 3, x 4 ). The choice of the combinations {i 1, i 2, i 3, i 4 } that are used is described by a set S. The set M then consists of all monomials that appear in the shift polynomials. The choice of S is crucial and depends on the

4 4 monomials that appear in f. We will give the precise definition of S in Section 4 for our specific polynomial. Then, LLL-reduction [15] is performed on B to find small vectors in the lattice L. From a result of [13], we know that under the condition X s1 1 Xs2 2 Xs3 3 Xs4 4 < W s, for s j = x i 1 1 x i 2 3 x i 4 4 M\S i j and s = S, (1) the first vectors in the reduced basis are small enough to ensure that we find a list f 0,..., f l of at least three polynomials that all have the root (x (0) 1, x(0) 2, x(0) 3, x(0) 4 ) over the integers. The polynomials {f, f 0,..., f l } will reveal their common root (x (0) 1, x(0) 2, x(0) 3, x(0) 4 ) under the assumption that three variables can be eliminated from the polynomial system of equations {f = 0, f 0 = 0,..., f l = 0}. Resultant computations are often used for this elimination process, but we choose to use Gröbner Bases, as we will explain in Section 6. Experiments must be done to verify that the elimination assumption holds in practice. 3 The Bleichenbacher-May Attack In [2], Bleichenbacher and May describe two new attacks on RSA-CRT. One of them is meant for the case that both e and d p and d q are chosen to be smaller than in standard RSA-CRT. For notation, we use e = N α, d p < N δ, and d q < N δ for some α [0, 1] and δ [0, 1 2 ]. Clearly, if an attack on this so called balanced RSA works in the case α = 1, then it threatens the security of standard RSA with small private CRT-exponents. The attack of Bleichenbacher and May uses a lattice of dimension 3. The attack works whenever δ < min{ 1 4, α}, and therefore gives no result in the case α = 1. However, we present a generalization of the attack for higher dimensional lattices that is applicable also for α = 1. To explain our new attack, we first describe the basics of the BM-attack [2]. Bleichenbacher and May start with the two RSA-CRT equations ed p = 1 + k(p 1) and ed q = 1 + l(q 1), and rewrite these as ed p + k 1 = kp and ed q + l 1 = lq. Multiplying the two equations yields e 2 d p d q + ed p (l 1) + ed q (k 1) (N 1)kl (k + l 1) = 0. This can be transformed into the linear equation e 2 x 1 +ex 2 (N 1)x 3 x 4 = 0, if we substitute x 1 = d p d q, x 2 = d p (l 1) + d q (k 1), x 3 = kl, x 4 = k + l 1. The given linear equation leads directly to a lattice attack with a lattice of dimension 3. This attack works provided that δ < min{ 1 4, α}. Although linearization of an equation makes the analysis easier and keeps the lattice dimension small, better results can sometimes be obtained by using a non-linear polynomial equation directly. In the next section, we will pursue this approach and use a polynomial with the variables x 1,..., x 4 corresponding to d p, d q, k, and l, respectively.

5 5 4 The New Attack on RSA-CRT The equation we introduced in the previous section e 2 d p d q + ed p (l 1) + ed q (k 1) (N 1)kl (k + l 1) = 0 yields a polynomial f(x 1, x 2, x 3, x 4 ) = e 2 x 1 x 2 + ex 1 x 4 ex 1 + ex 2 x 3 ex 2 (N 1)x 3 x 4 x 3 x with monomials 1, x 1, x 2, x 3, x 4, x 1 x 2, x 1 x 4, x 2 x 3, x 3 x 4 and a small root x (0) 1 < X 1 = N δ, (x (0) 1, x(0) 2, x(0) 3, x(0) 4 ) = (d p, d q, k, l), with x (0) 2 < X 2 = N δ, x (0) 3 < X 3 = N α+δ 1 2, x (0) 4 < X 4 = N α+δ 1 2. We will follow the strategy for finding small integer roots of Jochemsz and May [13] as sketched in Section 2, to analyze which attack bound corresponds to this polynomial f. In the basic strategy of [13], the set S that describes which monomials 1 xi2 2 xi3 3 xi4 4 are used for the shift polynomials, is simply the set that contains all monomials of f m 1 for a given integer m. The set M is defined as the set of all monomials that appear in 1 xi2 2 xi3 3 xi4 4 f(x 1, x 2, x 3, x 4 ), with 1 xi2 2 xi3 3 xi4 4 S. Since f has a non-zero constant coefficient, all monomials of S are included in M. More precisely, S and M can be described as i 1 = 0,..., m 1 i 3, 1 xi2 2 xi3 3 xi4 4 S i 2 = 0,..., m 1 i 4, i 3 = 0,..., m 1, i 4 = 0,..., m 1, 1 xi2 2 xi3 3 xi4 4 M i 1 = 0,..., m i 3, i 2 = 0,..., m i 4, i 3 = 0,..., m, i 4 = 0,..., m. However, in [13] it is also advised to explore the possibility of extra shifts of one or more variables. Since X 1 and X 2 are significantly smaller than X 3 and X 4 for α > 1 2, we find that the attack bound is superior for α = 1 if we use extra shifts of x 1 and x 2. Therefore, we take i 1 = 0,..., m 1 i 3 + t, 1 xi2 2 xi3 3 xi4 4 S i 2 = 0,..., m 1 i 4 + t, i 3 = 0,..., m 1, i 4 = 0,..., m 1, 1 xi2 2 xi3 3 xi4 4 M i 1 = 0,..., m i 3 + t, i 2 = 0,..., m i 4 + t, i 3 = 0,..., m, i 4 = 0,..., m, for some t that has to be optimized as a function of m and α.

6 6 Our goal is to find at least three polynomials f 0, f 1, f 2 that share the root (x (0) 1, x(0) 2, x(0) 3, x(0) 4 ) over the integers. From Section 2 we know that these polynomials can be computed by lattice reduction techniques as long as X s1 1 Xs2 2 Xs3 3 Xs4 4 < W s, for s j = i j and s = S. x i 1 1 x i 2 3 x i 4 4 M\S For a given integer m and t = τm, our last definition of S and M yields the bound (X 1 X 2 ) ( τ+ 9 4 τ 2 +τ 3 )m 4 +o(m 4) (X 3 X 4 ) ( τ+ 3 2 τ 2 )m 4 +o(m 4 ) < W ( 1 4 +τ+τ 2 )m 4 +o(m 4). To obtain the asymptotic bound, we let m grow to infinity and let all terms of order o(m 4 ) contribute to some error term ɛ. If we substitute the values for X 1, X 2, X 3, X 4, W, we obtain ( τ τ 2 + τ 3) 2δ + ( τ τ 2) (2α + 2δ 1) < ( τ + τ 2) (2α + 2δ), which leads to δ < 5 4α + 20τ 16ατ + 18τ 2 12ατ τ + 66τ τ 3 ɛ. For α = 1, we find an optimal value of τ , and we get δ < ɛ. Hence, for a 1024-bit modulus, d p and d q are in the attack space if they are less then 75 bits. Analogously, for a 2048-bit modulus, d p and d q are in the attack space if they are at most 150 bits. 4.1 Extending the Attack to Other Values of α In Section 4, we assumed that x (0) 1, x(0) 2 are smaller than x (0) 3, x(0) 4, t.i. α 1 2. For α < 1 2, symmetrically one uses extra x 3 and x 4 -shifts instead of extra x 1 and x 2 -shifts. Because of the symmetry, one can immediately see that the attack bound is (X 1 X 2 ) ( τ+ 3 2 τ 2 )m 4 +o(m 4) (X 3 X 4 ) ( τ+ 9 4 τ 2 +τ 3 )m 4 +o(m 4 ) The above bound leads to < W ( 1 4 +τ+τ 2 )m 4 +o(m 4). δ < 5 4α + 20τ 16ατ + 27τ 2 30ατ τ 3 24ατ τ + 66τ τ 3 ɛ. Note that this bound only holds for α + δ > 1 2, since we assume that the values of k and l are unknown to the attacker. Both conditions are only met if α 1 6.

7 7 However, in Section 7.1 we provide experimental evidence that our heuristic attack is successful only when α 1 4. In the revised paper by Sun, Hinek, Wu [21], the authors propose as new parameters {α = 0.577, δ = 0.186}. For this choice, we find the bound δ < 0.192, which breaks the new proposal in polynomial time. 5 Implementation Using Coppersmith s Original Method Although we have derived our attack bound from the strategy of Jochemsz, May [13], we deviate from their strategy for the implementation of the attack. Basically, we make use of Coppersmith s original technique [5] instead of Coron s reformulation [6]. This does not change the asymptotic bound of the attack, but it has a major practical advantage. Namely, the lattices used in the attacks are high-dimensional, and Coppersmith s original method requires only the reduction of a lower-dimensional sublattice 1. Since the LLL-process is the most costly factor in our attack, this leads to a significant improvement in practice. Furthermore, we slightly adapt Coppersmith s original method such that we directly obtain triangular lattice bases, which simplifies the determinant calculations. So let us first explain how to apply Coppersmith s technique for our attack. We introduce the shift polynomials g i1i 2i 3i 4 (x 1, x 2, x 3, x 4 ) = 1 xi2 2 xi3 3 xi4 4 f(x 1, x 2, x 3, x 4 ), for 1 xi2 2 xi3 3 xi4 4 S for a set of monomials S, as specified in Section 4. As before, we define the set M as the set of all monomials that appear in the shift polynomials. We use the notation s = S for the total number of shifts and d = M S for the difference of the number of monomials and the number of shifts. Notice that the maximal coefficient of f(x 1 X 1, x 2 X 2, x 3 X 3, x 4 X 4 ) is e 2 X 1 X 2, and the monomial corresponding to it is x 1 x 2. We define S as the set of monomials +1 1 x i2+1 2 x i3 3 xi4 4, for xi1 1 xi2 2 xi3 3 xi4 4 S. Naturally, S = S = s. We now build a (d + s) (d + s) matrix B 1 as follows. The upper left d d block is diagonal, where the rows represent the monomials 1 xi2 2 xi3 3 xi4 4 M\S. The diagonal entry of the row corresponding to 1 xi2 2 xi3 3 xi4 4 is (Xi1 1 Xi2 2 Xi3 3 Xi4 4 ) 1. The lower left s d block contains only zeros. The last s columns of the matrix B 1 represent the shift polynomials g i1i 2i 3i 4 = 1 xi2 2 xi3 3 xi4 4 f, for xi1 1 xi2 2 xi3 3 xi4 4 S. The first d rows correspond to the monomials in M\S, and the last s rows to the monomials of S. The entry in the column corresponding to g i1i 2i 3i 4 is the coefficient of the monomial in g i1i 2i 3i 4. This description asks for a simple example. Let us use the set S as described in Section 4 with m = 1 and t = 0, which results in the lattice basis B 1 given in Figure 1. We only use the polynomial f(x 1, x 2, x 3, x 4 ) itself as a shift polynomial. 1 In these CRYPTO 07 proceedings, a new article by Coron [7] shows how to adapt his method such that it also requires only the reduction of a sublattice instead of the reduction of the full lattice, and hence his new technique could be applied here, too.

8 8 Therefore, s = 1 and we have d+s = 9 monomials. The rows represent the monomials 1, x 1, x 2, x 3, x 4, x 3 x 4, x 2 x 3, x 1 x 4, x 1 x 2 and the last column corresponds to the coefficients of these monomials in f X e X e X X X 3 X N 1 B X 2 X 3 0 e X 1 X 4 e A e 2 Figure1. Matrix B 1 for the case m = 1, t = 0 In general, the determinant of the matrix B 1 is det(b 1 ) = (X i1 1 Xi2 2 Xi3 3 Xi4 x i 1 1 x i 2 3 x i 4 4 M\S 4 ) 1 (e 2 ) s. Let v(x 1, x 2, x 3, x 4 ) = (1, x 1, x 2, x 3, x 4, x 3 x 4, x 2 x 3, x 1 x 4, x 1 x 2 ). Note that in our example, v(x 1, x 2, x 3, x 4 ) B 1 := (1, x1 X 1, x2 X 2, x3 X 3, x4 X 4, x3x4 X 3X 4, x2x3 X 2X 3, x1x4 X 1X 4, f(x 1, x 2, x 3, x 4 )). So, v(d p, d q, k, l) B 1 = (1, dp X 1, dq X 2, k X 3, l X 4, kl X 3X 4, d qk X 2X 3, d pl X 1X 4, 0) d. Since the X j upper bound the root, there is always such a vector v which, if one substitutes the unknowns {d p, d q, k, l} for the variables {x 1, x 2, x 3, x 4 }, becomes a vector with Euclidean norm smaller than d after multiplication with the matrix B 1. Let us perform a unimodular transformation U 1 on B 1 to create a matrix B 2 such that ( ) Ad d 0 B 2 = U 1 B 1 = d s A s d I. s s Now if the rows of B 1 form a basis of a lattice L, then the rows of B 2 form a basis of the same lattice. Moreover, the rows of B 3 = ( A d d 0 d s )

9 9 are a basis of the sublattice L 0 of L which has zeros in the last s entries. Notice that det(l 0 ) = det(l). Clearly, v(d p, d q, k, l) B 1 is in the lattice L 0 spanned by the rows of B 3. Since v(d p, d q, k, l) B 1 = v(d p, d q, k, l)u 1 1 B 2, this means that the last s entries of v(d p, d q, k, l)u 1 1 must be zero. We use the notation v sh for the vector v with its length shortened to its first d entries. Then, v(d p, d q, k, l) B 1 sh = v(d p, d q, k, l)u 1 1 B 2 sh = v(d p, d q, k, l)u 1 1 sh A. Next, we reduce A using lattice basis reduction to a basis B = U 2 A. It follows that v(d p, d q, k, l) B 1 sh = v(d p, d q, k, l)u1 1 sh U 2 1 B. We use the notation v (d p, d q, k, l) for the vector v(d p, d q, k, l)u1 1 sh U 2 1, and B (with row vectors b i ) for the basis after applying Gram-Schmidt orthogonalization to B. Now we can make three observations. Firstly, the vector v is integral. This is because both matrices U 1 and U 2 have integer entries. Secondly, v(d p, d q, k, l) B 1 < d. Thirdly, it is known [15] that the Gram-Schmidt orthogonalization of the LLL-reduced basis satisfies b d 2 (d 1) 4 det(l) 1 d. So, if we combine these three facts, we obtain that d v(dp, d q, k, l) B 1 = v(d p, d q, k, l) B 1 sh = v (d p, d q, k, l)b v (d p, d q, k, l) d b d v (d p, d q, k, l) d 2 (d 1) 4 det(l) 1 d. Since the terms 2 (d 1) 4 and d do not depend on N, we let them contribute to an error term ɛ. Thus, whenever det(l) 1 d > 1, we must have v (d p, d q, k, l) d = 0. Hence, the polynomial f 0 (x 1, x 2, x 3, x 4 ) corresponding to the coefficient vector v (x 1, x 2, x 3, x 4 ) d contains the root (d p, d q, k, l) over the integers. In Appendix A, we show that the bound det(l) 1 d > 1 is equivalent to the bound (1) that was given in Section 2. Moreover, we use a result from Jutla [14] to show that the vectors v (x 1, x 2, x 3, x 4 ) d l, l 2, yield a list of at least three polynomials f 0,..., f l having the same root (d p, d q, k, l). In the next section, we show how to retrieve this root from the polynomials f, f 0,..., f l. The running time of our algorithm is dominated by the time to LLL-reduce the lattice basis A. Taking the algorithm of Nguyen, Stehlé [17] this can be achieved in O(d 5 (d + log A m ) log A m ), where log A m is the maximal bitsize of an

10 10 entry in A. Our lattice dimension d depends on ɛ 1 only, whereas the bitsize of the entries is bounded by a polynomial in log N. Therefore, the construction of f 0,..., f l can be done in time polynomial in log N. Moreover, f 0,..., f l have a fixed degree that only depends on ɛ 1 and coefficients with bitsize polynomial in log N. This will be important for the analysis in the following section. 6 Extracting the Common Root Assume that we want to retrieve a common root from four polynomials f, f 0, f 1, f 2. Usually, one uses resultants to eliminate variables one by one until one obtains a univariate polynomial w 0 (x 1 ) that has x (0) 1 as a root: r 0 (x 1, x 2, x 3 ) = Res x4 (f, f 0 ) s 0 (x 1, x 2 ) = Res x3 (r 0, r 1 ) r 1 (x 1, x 2, x 3 ) = Res x4 (f, f 1 ) w 0 (x 1 ) = Res x2 (r 3, r 4 ) s 1 (x 1, x 2 ) = Res x3 (r 1, r 2 ) r 2 (x 1, x 2, x 3 ) = Res x4 (f, f 2 ) However, this method only works if the polynomials are algebraically independent. One cannot easily use more than three candidates f j, besides repeating the scheme for different combinations. Moreover, the last resultant computation can take a significant amount of time and memory, since the degrees of the resultant polynomials grow fast. We use Gröbner Bases instead of resultant methods to extract the root. For a detailed introduction to Gröbner Bases, we refer to [8]. Suppose we have a set of polynomials {f, f 0,..., f l } that have the small root (x (0) 1,..., x(0) n ) in common. Then a Gröbner Basis G := {g 1,..., g t } is a set of polynomials that preserves the set of common roots of {f, f 0,..., f l }. In other words, the variety of the ideal I generated by {g 1,..., g t } is the same as the variety of the ideal generated by {f, f 0,..., f l }. The advantage of having a Gröbner Basis is that the g i can be computed with respect to some ordering that eliminates the variables. Having such an elimination ordering, it is easy to extract the desired root. In our experiments in Section 7 we usually found much more polynomials f 0,..., f l than the required amount of l = 2. Therefore, we have two advantages of Gröbner Bases in comparison with resultants. First, in contrast to resultants the computation time of a Gröbner Basis usually benefits from more overdefined systems which lowers the time for extracting the root. Second, we do not have to search over all subsets of three polynomials until we find an algebraically independent one. Instead, we simply put all the polynomials in our Gröbner Basis computation. The elimination of variables can only fail if the variety V(I) defined by the ideal I which is generated by {f, f 0,..., f l } is not zero-dimensional. Therefore, we make the following heuristic assumption for our attack. Assumption 1: The variety V(I) of the ideal I generated by the polynomials in the construction of Section 5 is zero-dimensional.

11 11 Under Assumption 1, the secret root (d p, d q, k, l) can be derived in polynomial time, since we run a Gröbner Basis computation on polynomials of a fixed degree. Recently, Bauer and Joux [1] made some important progress considering the heuristic involved in Coppersmith methods. Their result, for roots of trivariate polynomials, can in theory be extended to more variables. In this way, one could investigate if Assumption 1 can be replaced by a weaker assumption. In this paper, we made no efforts in this direction. Instead we verified the validity of Assumption 1 by experiments. 7 Experiments In order to test the attack described in this paper for varying bitsizes of e and d p, d q we designed a key generation process similar to the one proposed by Galbraith, Heneghan, and McKee [10]. INPUT: Bitsizes n of N, αn of e, δn of d p, d q (1) Choose d p, d q of bitsize δn. (2) Choose k, l of bitsize (α + δ 1 2 )n such that gcd(d p, k) = gcd(d q, l) = gcd(k, l) = 1. (3) Compute e using Chinese Remaindering such that e = d 1 p mod k e = d 1 mod l. q (4) Compute e := e + c kl for some c of bitsize (1 α 2δ)n. (5) Compute p = edp 1 k 1 and q = edq 1 l 1. If either p or q is composite, repeat the whole algorithm. OUTPUT: CRT-RSA-instance (e, N, d p, d q, p, q) Notice that this key generation algorithm works as long as α + 2δ 1. Namely, in Step 3 we compute a public key e of bitsize (2α + 2δ 1)n, which is extended in Step 4 to bitsize αn. Therefore, we require that α 2α + 2δ 1. The above key generation is a slight variation of the GHM algorithm. In [10], the authors choose e, k, l first and afterwards compute d p, d q as inverses of e mod k, l, respectively. Then analogously to Step 4 above, they fill up d q, d q to the desired bitsize. Thus, their key generation requires that the sizes of d p, d q are at least the sizes of k, l. However, this condition is not fulfilled by a large portion of the RSA instances that we can attack. If the conditions of both key generations are fulfilled, one should however prefer the GHM method. It is more efficient, since one can generate p and q separately. In the following experiments, we applied our key generation algorithm for varying sizes of e and d p, d q. The LLL reduction was carried out using a C- implementation of the provable L 2 reduction algorithm due to Nguyen and Stehlé [17]. The timings were performed on a 1GHz PC running Cygwin.

12 Experiments for Small e All experiments in this section were done for 1000-bit N. For every fixed e, we looked for the maximal bitsize for d p, d q that gave us enough small vectors for recovering the secrets. In our experiments, we fixed the attack parameter m = 2 and tried different values of t. In the table below, the third column provides the bound of Bleichenbacher- May which can be achieved using a 3-dimensional lattice. The fourth column provides the bound for an attack of Galbraith, Heneghan, and McKee [10], which is closely related to the attack described in this paper (see Appendix B for details on this GHM-attack). The δ-column gives the theoretical upper bound for the chosen parameters m, t and e. The asymp -column gives the asymptotic bound which is reached when the lattice dimension goes to infinity. e d p, d q BM[2] GHM[10] δ asymp lattice parameters LLL 250 bit 332 bit m = 2, t = 0, dim = 27 2 sec 300 bit 299 bit m = 2, t = 0, dim = 27 2 sec 400 bit 239 bit m = 2, t = 0, dim = 27 2 sec 500 bit 199 bit m = 2, t = 0, dim = 27 2 sec 577 bit 168 bit m = 2, t = 0, dim = 27 2 sec 700 bit 119 bit m = 2, t = 0, dim = 27 2 sec 800 bit 79 bit m = 2, t = 0, dim = 27 2 sec 900 bit 38 bit m = 2, t = 0, dim = 27 2 sec 900 bit 40 bit m = 2, t = 1, dim = sec 925 bit 29 bit m = 2, t = 0, dim = 27 2 sec 925 bit 31 bit m = 2, t = 1, dim = sec 950 bit 19 bit m = 2, t = 0, dim = 27 2 sec 950 bit 23 bit m = 2, t = 1, dim = sec In all the above experiments, we were able to recover the factorization of N. Experimentally, we see that our attack is much better than theoretically predicted. The reason is that for these RSA parameter settings, the shortest vectors are linear combinations of certain subsets of the lattice basis. I.e., the shortest vectors belong to some sublattice and the determinant calculation of the full lattice in Section 4 does not accurately capture the optimal choice of basis vectors. However, to identify the optimal sublattice structure for every fixed size e seems to be a difficult task. Let us first comment on the results for 250-bit and 300-bit e. As can be seen in Appendix B, there exists an attack by Galbraith, Heneghan, and McKee [10] that is closely related to our new attack. Basically, they use a Coppersmith method for finding modular roots, to find the small root (k, l) of a polynomial f e modulo e. The polynomial f e is exactly our polynomial f taken modulo e. Since for α = 0.25, α = 0.3, the bound of the GHM-attack is superior to our new attack bound, the GHM-attack should be used for these cases instead of the new attack. However, if one uses the new attack, the lattice reduction algorithm chooses certain sublattices that still lead to the GHM-bound. This explains for these small values of α, why the experimental results are better than expected.

13 13 These were the only instances that we discovered, where Assumption 1 failed. Since the reduced basis vectors corresponded to the underlying structure of the GHM-attack, we were not able to eliminate three variables. However, we always found a polynomial of the form (k + l 1)x 3 x 4 kl(x 3 + x 4 1) in the Gröbner Basis, which directly yields k and l. The knowledge of k is sufficient to factor N in polynomial time, provided that e is large enough: Notice that p = 1 k 1 mod e. From a theorem of Coppersmith for factoring with high bits known [5], it follows that we can find p in polynomial time whenever e N 1 4, which is satisfied in our experiments. We also made attacks for the case e < N 1 4, where we still got the secrets k, l. However, this information seems to be not sufficient for factoring N efficiently. This is consistent with the GHM-attack, where Galbraith, Heneghan, and McKee state that the attack only succeeds if the factorization of N can be extracted in polynomial time from the knowledge of the exposed k, l. For α 2/5, i.e. e of bitsize at least 400, Assumption 1 was always valid. In all experiments, the Gröbner Basis of all polynomials yields the secret parameters (d p, d q, k, l) and therefore the factorization of N. The roots were found by using the F4 Gröbner Basis algorithm implemented in Magma V We would like to note that, when we did not include all candidates f 0,..., f l but used only a few, it sometimes happened that we could eliminate two variables only. In that case, we were still able to retrieve the secrets, since the Gröbner Basis, where x 2 and x 4 were eliminated, then contained a polynomial with the terms (d p + (k 1)x 1 d p x 3 ) and (d q + (l 1)x 1 d q x 3 ) in its factorization. For e of bitsizes 400 up to 800, we actually rediscovered the bound 2 5 (1 α) by Bleichenbacher, May experimentally. Again the lattice reduction algorithm chose certain sublattices which in this case lead to the BM-bound. Even a moderate increasement of the lattice dimension did not give us any improvement in this range of e. Although our asymptotical bound always beats the BM-bound, we are not able to see this effect for small e, since going beyond the BM-bound requires high-dimensional lattice bases. For e larger than 900 bits we can for the first time see the effect of increasing the lattice dimension and we are able to go slightly beyond the BM-bound. This effect intensifies for full size e, where the BM-bound does not give any results at all. 7.2 Experiments for Full Size e Here we describe the experiments for RSA with a standard key generation for small CRT-exponents, which usually yields full size e. Namely, the parameters d p, d q are chosen for a fixed bitsize and e is the unique integer modulo φ(n) which is the inverse of d p, d q modulo p 1 and q 1, respectively.

14 14 N d p, d q δ lattice parameters LLL-time 1000 bit 10 bit m = 2, t = 1, dim = sec 1000 bit 13 bit m = 2, t = 2, dim = sec 1000 bit 15 bit m = 3, t = 1, dim = sec 2000 bit 20 bit m = 2, t = 1, dim = sec 2000 bit 22 bit m = 2, t = 2, dim = sec 2000 bit 32 bit m = 3, t = 1, dim = sec 5000 bit 52 bit m = 2, t = 1, dim = sec 5000 bit 70 bit m = 2, t = 2, dim = sec bit 105 bit m = 2, t = 1, dim = sec bit 140 bit m = 2, t = 2, dim = sec Every experiment gave us sufficiently many polynomials with the desired roots over the integers, such that we could recover the factorization. The Gröbner computation never took more than 100 seconds and consumed a maximum of 300 MB. Notice that for bit N, we can recover d p, d q of bitsize 140, which would not be possible by a square-root attack. As in the experiments before, the δ-bound is very inaccurate. For lattice dimensions 56 and 95, we should not obtain any results at all, while experimentally we succeeded for d with bitsizes roughly a fraction respectively a fraction of N. On the other hand, our asymptotical bound states that we could in theory go up to a fraction. Unfortunately, we are a tad bit away from the theoretical bound, since currently the best LLL-reductions only allow to reduce lattice bases of moderate size, when the base matrices have large entries. Let us give a numerical example. Theoretically, for m = 10 we find an optimal value of t = 6 which yields a bound of However, this parameter choice results in a lattice dimension of 4200 which is clearly out of practical reach. Our result guarantees that one can find the factorization of N for a sufficiently large but fixed lattice dimension for CRT-exponents d p, d q up to a fraction. Moreover, it does not rule out that one can go beyond this bound. Even with our approach, the experimental results seem to indicate that an analysis of sublattice structures could lead to a better theoretical bound. We hope that these open problems stimulate further research in the exciting areas of lattice-based cryptanalysis and fast practical lattice reduction algorithms. Acknowledgements: We thank Antoine Joux and Ralph-Philipp Weinmann for discussions about Gröbner Bases, Maike Ritzenhofen for doing the Gröbner Basis computations in Magma, and Benne de Weger for his helpful comments.

15 15 References 1. A. Bauer, A. Joux, Toward a Rigorous Variation of Coppersmith s Algorithm on Three Variables, Proceedings of Eurocrypt 07, LNCS 4515 [2007], pp D. Bleichenbacher, A. May, New Attacks on RSA with Small Secret CRT- Exponents, Proceedings of PKC 2006, LNCS 3958 [2006], pp D. Boneh, Twenty Years of Attacks on the RSA Cryptosystem, Notices of the American Mathematical Society 46 [1999], pp D. Boneh, G. Durfee, Cryptanalysis of RSA with Private Key d Less Than N 0.292, IEEE Transactions on Information Theory 46 [2000], D. Coppersmith, Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities, Journal of Cryptology 10 [1997], pp J.-S. Coron, Finding Small Roots of Bivariate Integer Equations Revisited, Proceedings of Eurocrypt 04, LNCS 3027 [2004], pp J.-S. Coron, Finding Small Roots of Bivariate Integer Polynomial Equations: a Direct Approach, in these proceedings (Crypto 07). 8. D. Cox, J. Little, D. O Shea, Ideals, Varieties, and Algorithms, Second Edition, Springer-Verlag [1998]. 9. ECRYPT - Hardness of the Main Computational Problems Used in Cryptography, IST , available at D.AZTEC pdf 10. S. Galbraith, C. Heneghan, J. McKee, Tunable Balancing of RSA, Proceedings of ACISP 2005, LNCS 3574 [2005], pp S. Galbraith, C. Heneghan, J. McKee, Tunable Balancing of RSA, full version of [10], sdg/full-tunable-rsa.pdf. 12. N. Howgrave-Graham, Finding Small Roots of Univariate Modular Equations Revisited, Cryptography and Coding, LNCS 1355 [1997], pp E. Jochemsz, A. May, A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants, Proceedings of Asiacrypt 06, LNCS 4284 [2006], pp C.S. Jutla, On Finding Small Solutions of Modular Multivariate Polynomial Equations, Proceedings of Eurocrypt 98, LNCS 1403 [1998], pp A. Lenstra, H. Lenstra, Jr., L. Lovász, Factoring Polynomials with Rational Coefficients, Mathematische Ann. 261 [1982], pp A. May, Cryptanalysis of Unbalanced RSA with Small CRT-Exponent, Proceedings of Crypto 02, LNCS 2442 [2002], pp P. Nguyen, D. Stehlé, Floating-Point LLL Revisited, Proceedings of Eurocrypt 06, LNCS 3494 [2006], pp J.J. Quisquater, C. Couvreur, Fast decipherment algorithm for RSA publickey cryptosystems Electronic Letters 18 [1982], pp STORK - Strategic Roadmap for Crypto, IST , available at 1.pdf 20. H.-M. Sun, M.-E. Wu, An Approach Towards RSA-CRT with Short Public Exponent, IACR eprint, H.-M. Sun, M.J. Hinek, M.-E. Wu, On the Design of Rebalanced RSA-CRT, revised version of [20], techreports/2005/cacr pdf 22. M. Wiener, Cryptanalysis of Short RSA Secret Exponents, IEEE Transactions on Information Theory 36 [1990], pp

16 16 A Calculating the Bound and Finding More Polynomials In this appendix, we show that the bound det(l) 1 d > 1 of the implementation of our attack using Coppersmith s original method (Section 5) is equivalent to the bound (1) corresponding to an implementation following Coron s method (as used in Section 2). Moreover, we use a result from Jutla [14] to show that the vectors v (x 1, x 2, x 3, x 4 ) d l, l 2, yield a list of at least three polynomials f 0,..., f l having the same root (d p, d q, k, l). One can check that 1 d det(l) 1 d = det(b1 ) 1 d = (X i1 1 Xi2 2 Xi3 3 Xi4 4 ) 1 (e 2 ) s d. x i 1 1 x i 2 3 x i 4 4 M\S So the bound det(l) 1 d > 1 implies that (X i1 1 Xi2 2 Xi3 3 Xi4 x i 1 1 x i 2 3 x i 4 4 M\S 4 ) < (e 2 ) s. (2) Let us substitute e 2 by W X 1X 2. We observe that the difference between the monomials of M\S and M\S is s times the monomial x 1 x 2. Multiplying both sides by (X 1 X 2 ) s yields X s1 1 Xs2 2 Xs3 3 Xs4 4 < W s, for s j = x i 1 1 x i 2 3 x i 4 4 M\S i j and s = 1. x i 1 1 x i 2 3 x i 4 4 S Notice that this condition is equivalent to the condition (1) given in Section 2. It follows that if this bound holds, then applying Coppersmith s method gives us a polynomial f 0 (x 1, x 2, x 3, x 4 ) from the coefficient vector v (x 1, x 2, x 3, x 4 ) d, such that f 0 has the desired root (d p, d q, k, l) over the integers. But in order to extract the root, we have to construct at least two more polynomials which share the same root. We will prove now that it is always possible to construct any constant number of polynomials with the same common root provided that condition (1) is satisfied, at the cost of a slightly larger error term ɛ in the construction. Therefore, we use a theorem of Jutla [14], which gives us a lower bound for the length of any Gram-Schmidt vector in an LLL-reduced basis. Namely, b i 2 (i 1) 4 ( ) 1 det(l) i b m i max for i = 1... d, where b max is the maximal length of the Gram-Schmidt orthogonalization of the matrix A (the matrix before starting the LLL-reduction process). Following the analysis of [14], it can be checked that in our attack, b max = e 2. Therefore,

17 17 b i > 1 reduces to ( ) 2 (i 1) x 4 i1 1 xi 2 3 x i 4 (X i1 4 M\S 1 Xi2 2 Xi3 3 Xi4 4 ) 1 (e 2 ) s (e 2 ) d i 1 i > 1. Since 2 (i 1) 4 does not depend on N, we let it contribute to an error term ɛ. This simplifies our condition to (X i1 1 Xi2 2 Xi3 3 Xi4 4 ) < (e2 ) s (d i), x i 1 1 x i 2 3 x i 4 4 M\S Notice that for i = d, we obtain the same bound as in (2). In Section 4, we have seen that s = m 4 (1 + o(1)). So as long as d i = o(m 4 ), the asymptotic bound does not change and we get just another error term that contributes to ɛ. This is clearly satisfied if d i = l for some constant l. Thus, all polynomials f 0,..., f l corresponding to the coefficient vectors v (x 1, x 2, x 3, x 4 ) d i, i = 0... l, share the common root (d p, d q, k, l), as desired. B A Related Attack by Galbraith, Heneghan, and McKee In Section 7.1 we noted that for very small e, there is an attack by Galbraith, Heneghan, and McKee [10, Section 5.1] that works better than our new attack. In this appendix, we briefly describe this GHM-attack and its relation to our new attack. Recall that for our new attack, we multiply the equations to obtain the polynomial ed p + k 1 = kp and ed q + l 1 = lq f(x 1, x 2, x 3, x 4 ) = e 2 x 1 x 2 +ex 1 x 4 ex 1 +ex 2 x 3 ex 2 (N 1)x 3 x 4 x 3 x 4 +1 with the small root (d p, d q, k, l). In their attack in [10, Section 5.1], Galbraith, Heneghan, and McKee do essentially the same, but modulo e. Hence, the goal of their attack is to find the modular root (k, l) of the polynomial f e (x 3, x 4 ) = (N 1)x 3 x 4 + x 3 + x 4 1 modulo e. This polynomial f e, with monomials 1, x 3, x 4, x 3 x 4 has a wellknown [5] bound X 3 X 4 < e 2 3. that specifies for which upper bounds X 3, X 4 of x 3, x 4 the root can be found in polynomial time. Substituting X 3 = X 4 = N α+δ 1 2, and e = N α, we find the attack bound δ < α. For very small α (for instance α = 0.25 and δ = 0.3), this bound is superior to the bound obtained by our new attack, and for these cases, the GHM-attack should be preferred to the new attack.

A new attack on RSA with a composed decryption exponent

A new attack on RSA with a composed decryption exponent Abderrahmane Nitaj and Mohamed Ould Douh,2 Laboratoire de Mathématiques Nicolas Oresme Université de Caen, Basse Normandie, France abderrahmane.nitaj@unicaen.fr